.

The Value of an External Network Penetration Test

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed Nov 24, 2010 12:22 pm

The Value of an External Network Penetration Test

The Value of an External Network Penetration Test

So, in my short lived career of a penetration tester, I have performed around 4 external security assessments.  Each assessment consisted of a scope of less than 20 public IP addresses, to which brute force and denial of services attacks were not permitted.  On each occassion 1 or more of the following services are identified in during a full TCP and UDP Port scan.

21,22
23
25
53
80
443
1723
8080

Taking away ports 80, 443 and 8080 where dependant on whether there is a website available publically and not secured so that only particular IP addresses can connect to it I often find that the assessment is not very fruitful.

So what testing do I perform? Well on an FTP service I will check to see if anonymous access is permitted, weak credentials are in use (without running hydra to bruteforce as apparently this is not permitted??), grab banner and check for vulnerabilities in software, on most ocassions I pretty much can only report on the fact that FTP is clear text! Am I missing something or is this how all external network penetration tests are?
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Wed Nov 24, 2010 1:23 pm

Re: The Value of an External Network Penetration Test

Depending on which web application they are using on port 80, 443 and perhaps 8080, (and even alternative ports), try to replicate their setup as much as possible especially including addons. Then begin auditing / pentesting those addons locally and try to locate / find vulnerabilities in those, then if you're permitted, check if they work on the target site.

Furthermore, you can also try to replicate the software they use and fuzz that and hope you may find a 0day within that, simply by fuzzing the hell out of those services in a smart way of course.

Also, check how many vulnerabilities has been previously been found within the products / software and web applications they use, what kind of vulnerabilities are the most common to be found within these, and so forth. Your chances of finding a similar vulnerability is high in case the same type of vulnerability "respawns" within certain versions when new features are implemented.

For instance, Persistent and Non-Persistent Cross-Site Scripting vulnerabilities are quite common to be found within vBulletin, compared to SQL Injection, Local and Remote File Inclusion and especially Remote Code Execution. So if you had to pentest vBulletin, then your best bet would be Cross-Site Scripting.

There's a blog here, about a 0day found within vBulletin recently:
http://www.exploit-db.com/vbulletin-a-j ... loitation/

It was found by mistake, while I was doing some voluntary administrative work for another site, and after confirming the vulnerability I used a few days to research and develop a working exploit.

If the target is using custom coded software on their server it is harder to develop an exploit for of course, but if they're using a Web Application, then the possibility of a vulnerability existing is increasing on a major scale. Especially due to insufficient time for the developers to either code secure applications or learn how to do that, and of course, implementation issues  :)
I'm an InterN0T'er
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Wed Nov 24, 2010 2:02 pm

Re: The Value of an External Network Penetration Test

Were these "Black Box" tests? Did you have access to their facilities? Because if you do have access, you may be able to run brute force attacks on their QA servers during a weekend (or something similar). In addition, being able to do a configuration review on the server always reveals little useful things.

Also, why do they need Telnet open on an external server? Maybe there is a special business need for that, but more likely than not, people could easily use SSH. And like you pointed yourself, why use FTP?

You can also test the NIDS, trying a slow and more stealthy scan. Check firewall rules, propose little improvements here and there!

Another good trick is to ask them up front what they are the most afraid of and spend more time on these things (or at least, made them obvious in the report).

I believe that, as pentesters, if we show our clients that we have looked at "everything" and we are proposing many subtle changes to their environment, then they will know we are professionals and we did look closely at their environment. Even if we didn't find a single big vulnerability, we can still provide good value...

And MaXe is right, only once I didn't find a vulnerability in a custom web application. So check them closely!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Nov 24, 2010 2:14 pm

Re: The Value of an External Network Penetration Test

We sadly use FTP for some things here. Even though there is an SFTP box (same box actually) set up.

Our biggest issue is our customers not being able to get THEIR IT people to install the tool (we recommend filezilla) they need AND open the ports for ssh. In fact the majority of the customers access our FTP servers via web browsers.

that reminds me. I should test something I've been wondering about.
OSWP, Sec+
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed Nov 24, 2010 5:17 pm

Re: The Value of an External Network Penetration Test

Hi Guys

Thanks for the responses but think maybe I should have explained myself a little better.  So staying away from ports 80, 443, 8080 and any other websites running on non standard ports (as I tend to always have some success attacking a web app/webserver).  I wanted to know whether I was missing something when attacking those other services in which i found commonly available during my external network tests i.e 21,22,23,25,53,1723 other than what I mentioned.  Obviously I would check the other services in a slightly different manner to ftp i.e 25 for mail relay, enumerating users using HELO, EXPN, VRFY etc etc but just wanted to know whether external tests always tend to be fairly boring..

@H1t M0nk3y  - They were blackbox tests and didnt have access to their facilities.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software